CVE Catalog

CVE-2026-55205

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads.

Risk Assessment

Attackers can send repeated or concurrent requests to exhaust server memory and thread resources, potentially triggering repeated outbound device-code requests to upstream OAuth providers.

Recommendation

It is recommended to update Hermes WebUI to version 0.51.468 or later to mitigate this vulnerability and to monitor traffic to the endpoint for potential attacks.

Original NVD description (English source)

Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and thread resources, potentially triggering repeated outbound device-code requests to upstream OAuth providers.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS